Using DHCP Securely

There is no such thing as secure DHCP. You'll see it
over and over again in this chapter. However, there are ways to make
a DHCP-based network a little more resistant to attack. There are
several keys to doing this.

First, we must examine the common attack vectors against DHCP. Then
we'll examine the countermeasures. And finally, we
can look at the system overall and determine whether
it's secure enough for our specific needs. If not,
there is one simple answer: do not use DHCP. Manually configuring
TCP/IP on client computers remains a viable option, and many
companies throughout the world do it today. Although it incurs a
fairly high TCO and requires a significantly larger IT staff, manual
configuration is not without its place.

Overriding all our concerns about DHCP is one basic assumption. To
mount a DHCP-based attack of any type, an intruder must have initial
access to your network. That is, to hijack clients by sending DHCP
Offers, the attacker must put his own computer with a DHCP server on
your network. The same is true for all other attack vectors. So one
way to help thwart DHCP-based attacks is to tightly control network
access. This is discussed throughout the book, but especially in
Chapter 14.

TIP:
All the procedures listed here assume DHCP is already installed on
the computer. Installation and normal operation of DHCP are beyond
the scope of this book.

Configuring DHCP for proper administration

Windows Server 2003
provides a user group called DHCP
Administrators. This group contains all user accounts that are
authorized to modify DHCP settings. The membership for this group
should be tightly controlled and audited to ensure that no
unauthorized users are added to it. This will help prevent both
accidental and intentional misconfigurations and help prevent
security incidents and denial-of-service occurrences.

Monitoring DHCP for DOS attack

The first and
simplest attack against DHCP is to lease all the addresses in its
database. As discussed earlier, leasing all the addresses is a fairly
simple attack that causes a denial of service by stopping legitimate
computers from obtaining DHCP addresses.

A DHCP denial-of-service attack cannot be truly prevented. However,
it can be detected early and stopped in its tracks. To do this, you must monitor DHCP.
Monitoring DHCP can show you how many leases have been issued over
time and can indicate an attack by showing a massive spike or
prolonged above-average lease requests. You can also monitor servers
to determine when their percentage of available addresses falls below
a determined criteria, perhaps 5%. Either of these statistics could
indicate a DHCP-focused attack.

To monitor DHCP, you can use the DHCP MMC snap-in, the System
Monitor tool, or the Performance Logs and Alerts snap-in. Both the
DHCP and System Monitor tools give great snapshots of
what's happening with the server at that moment.
However, they're not as useful for gathering data
over time and identifying trends. To do that, we'll
need to use Performance Logs and Alerts.

Knowing what we do about DHCP, we can assume that a denial-of-service
attack will take the form of continuous DHCP Discover and DHCP
Request messages being received. We can create an administrative
alert to tell us when an abnormally high number of DHCP Requests are
received on a server.

Before we begin, we must baseline the
DHCP traffic. Baselining is, simply put,
observing the normal operation of the server to see what it does. In
our example, we must baseline the DHCP traffic coming into the
server. There are many ways to baseline, but for this book,
we'll keep it simple. We'll
baseline the DHCP Request traffic over three normal workdays to
determine the average traffic that we should expect.

To do this, we follow this procedure:

Click Start → Run, type
Perfmon.exe, and then press Enter. This brings
up the Performance snap-in which is a combination of System Monitor
and Performance Logs and Alerts.

Double-click Performance Logs and Alerts, and then double-click
Counter Logs.

Right-click Counter Logs, and then click New Log Settings.

Type a name for the log, such as DHCP Offer
traffic. Then click Enter.

Click Add Counters.

Under Performance Object, select DHCP Server. Then under Select
Counters from List, select Requests/sec. Click Add to add this
counter. Then click Close.

Click OK. If the folder for the performance log does not exist, you
will be prompted to allow its creation. Click Yes.

Once the three days have elapsed, you will be able to view the
counter log and determine what the average DHCP Offer traffic is for
this computer. Let's assume for brevity that you
determine from this log that the maximum DHCP Offers per second the
server encountered was 15. This helps us determine when an attack
might be taking place.

There is no exact science to determining a number that indicates a
problem. You need to decide whether you want more false positives or
false negatives. In this case, let's assume a safe
number is 20. If your DHCP server encounters more than 20 DHCP
Requests per second, you want to know so you can examine the
situation and determine whether an attack is taking place.

You can do this by setting up an administrative alert. as shown here:

Click Start → Run, type
Perfmon.exe, and then press Enter. This brings
up the Performance snap-in which is a combination of System Monitor
and Performance Logs and Alerts.

Double-click Performance Logs and Alerts, and then double-click
Alerts.

Right-click Alerts, and then click New Alert Settings.

Provide a name for this alert, such as DHCP DOS
attack. Then click Enter.

Click Add.

Under Performance Object, select DHCP Server. Then under Select
Counters from List, select Requests/sec. Click Add to add this
counter. Then click Close.

Click the Action tab. This is where you tell the alert what to do
when the threshold is met.

Click OK.

Figure 11-4. This alert logs an event and sends a network message to the author

You now have a tool in place that will help you identify DHCP
denial-of-service attacks. There are other tools and processes you
could use, to be sure, but this one is included in Windows Server
2003, takes very little time to set up, and is reasonably effective.

Auditing DHCP

Auditing DHCP is, from an attack detection
perspective, essentially the same as monitoring the DHCP performance
counters. You collect statistical data and determine whether an
attack is occurring based on that data. However, auditing DHCP
activity can give us more specific information and allow us to
examine attacks in greater detail.

Now the DHCP server will log all tasks that it performs. The log is a
text file stored in the
%SystemRoot%\System32\dhcp directory by default.
You can change this directory by modifying the path under the
Advanced tab in the previous dialog box. The files are stored with
the filename of DhcpSrvLog-day.log where
day is a three-letter abbreviation for the day
of the week, such as Mon, Tue, and so on.